Sunday, January 15, 2012

What is ARQC?

Each EMV transaction request is supposed to contain ARQC, which is a cryptogram generated from the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on the financial transaction. A valid, verifiable cryptogram tells you two things:

the financial message originated from the source that it claims to be from

the contents of the message have not been altered

There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC (Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking some values from the terminal), and hence it's part of a request message. The second one, ARPC, is generated by the issuer and hence it's part of a response message.

Steps for ARQC Generation

There are four basic steps to ARQC generation:

Card Key Derivation

Session Key Derivation

Preparation of Input Data in ARQC Calculation

Encryption/ Hashing (the final step that gives the ARQC)

Restating the above list, the first step is to derive the card key and then use the card key to derive a session key. In parallel, we need to prepare some data and then encrypt that data with the session key derived in the previous step.

Exact details vary from one chip program to another!

Step 1 and 2: Card and Session Key Derivation

When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.

The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.

Step 3: Data Preparation

In parallel to the key derivation as described above, an important step of ARQC generation is “preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are concatenated to prepare this input data is EMV scheme specific.

Step 4: ARQC Generation

Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.

28 comments:

The exact algorithms depend on the card scheme. For example, Visa might have a different procedure as compared to Mastercard. I'll check what details are available as open standard (in the form of EMV) and post back. Thanks for asking!

Hello Sir i am from TURKEY and need to ask somethings about EMV my mail is here kendagasan@gmail.com and skype name is kendagasan i need to finish my project if you please help me about this matter i will be thankful sir.

Hello. Thanks for the information provided. I wanna ask you about something that has happened these days.

I am sending a AMEX EMV transaction to ATS(AMEX TEST SYSTEM), but it's complaining to have an incorrect application cryptogram. So I need a way to recalculated to confirm that is good or bad. I know that ARQC is based on some input data from the terminal that are compared to the CDOL from the card.

Hello CarlosAMEX uses its GNSWeb simulator usually has an inbuilt tool to cal ARQC so you need to know the tlv from terminal and input it into the tool along with card number and pan seq num the basic tags required for arqc calc are:9f02-terminal9f03-terminal9f1a-terminal95-terminal5f2a-terminal9a-terminal9c-terminal9f37-terminal

82-icc9f36-icc9f10-cvr bytes from ICC

Also apart from this you have to update the card details with emv crypto keys also known as IMK so all in all there are 3 keys in amex sim crypto keys(for chip card) mac keys(for mac) and intergrity keys(for pin)

You cannot calculate ARQC, as the master key of the card will be in secured layer, and unique for every transaction, You need the following data:master keyPAN, PAN sq no, ATC, Terminal data, card data, and above all algorithm and key parity, somewhat if you get master key, and record a card session you may calculate.